Skip to content

Scorecard Integration#1294

Closed
404-geek wants to merge 76 commits into
aboutcode-org:mainfrom
404-geek:scorecard_integration
Closed

Scorecard Integration#1294
404-geek wants to merge 76 commits into
aboutcode-org:mainfrom
404-geek:scorecard_integration

Conversation

@404-geek
Copy link
Copy Markdown
Collaborator

@404-geek 404-geek commented Jun 26, 2024
edited
Loading

ScoreCode Integration

This pull request integrates the ScoreCode Repo into SCIO, enabling the fetching of the latest OSSF Scorecard Data for discovered packages using their vcs_url. The current implementation supports github.com and gitlab.com VCS URLs.

Key Features:

  • Integration with ScoreCode Repo
  • Fetching of OSSF Scorecard Data using vcs_url
  • Support for github.com and gitlab.com VCS URLs

Related Issues:

This feature enhances SCIO's functionality by ensuring that users can retrieve the most up-to-date security scores for packages discovered in their projects, improving overall security assessment and management.

404-geek added 30 commits June 26, 2024 13:20
@404-geek
Add ScoreCard config into settings.py
173db43 
developed functions to check for availability nexB#598

Signed-off-by: 404-geek <pranayd61@gmail.com>
@404-geek
code style fix nexB#598
272b99c 
Signed-off-by: 404-geek <pranayd61@gmail.com>
@404-geek
Merge branch 'refs/heads/ossf_api_template' into scorecard_integration
944cee2
@404-geek
settings.py code style fix nexB#598
bc445c1 
Signed-off-by: 404-geek <pranayd61@gmail.com>
@404-geek
mixin import and models declaration nexB#1283
f241b3b 
Signed-off-by: 404-geek <pranayd61@gmail.com>
@404-geek
transforming scorecard data into object for saving nexB#1283
605a5cf 
Signed-off-by: 404-geek <pranayd61@gmail.com>
@404-geek
added test cases for saving scorecard data into models and modified s…
3833dca 
…aving logic nexB#1283

Signed-off-by: 404-geek <pranayd61@gmail.com>
@404-geek
Merge branch 'main' into feat-models_integration
37380c8
@404-geek
added score checks mixin to models nexB#1283
5502b5f 
Signed-off-by: 404-geek <pranayd61@gmail.com>
@404-geek
Merge branch 'nexB:main' into feat-models_integration
2aeb2a4
@404-geek
empty details in score response handled nexB#1283
103fca0 
Signed-off-by: 404-geek <pranayd61@gmail.com>
@404-geek
changed class names to camel case for models and modified the tests n…
952e6a6 
…exB#1283

Signed-off-by: 404-geek <pranayd61@gmail.com>
@404-geek
code formatted nexB#1283
3ba3db5 
Signed-off-by: 404-geek <pranayd61@gmail.com>
@404-geek
code formatted nexB#1283
2f2b846 
Signed-off-by: 404-geek <pranayd61@gmail.com>
@404-geek
code formatted nexB#1283
39a056d 
Signed-off-by: 404-geek <pranayd61@gmail.com>
@404-geek
docstrings formatted nexB#1283
e5f3e7a 
Signed-off-by: 404-geek <pranayd61@gmail.com>
@404-geek
created basic fetch and availability functions for scorecode pipeline…
c2f5c4d 
… nexB#598

Signed-off-by: 404-geek <pranayd61@gmail.com>
@404-geek
Merge branch 'nexB:main' into scorecard_integration
6ee5b07
@404-geek
Merge remote-tracking branch 'origin/scorecard_integration' into scor…
760afc2 
…ecard_integration
@404-geek
modified doc strings and models and imported ScoreCode package in set…
0dbc92f 
…up.cfg nexB#1283

Signed-off-by: 404-geek <pranayd61@gmail.com>
@404-geek
setup.cfg nexB#1283
d652f42 
Signed-off-by: 404-geek <pranayd61@gmail.com>
@404-geek
Merge branch 'nexB:main' into scorecard_integration
aa154c0
@404-geek
Merge branch 'refs/heads/feat-models_integration' into scorecard_inte…
37ad73a 
…gration

# Conflicts:
#	scanpipe/models.py
#	scanpipe/tests/test_models.py
@404-geek
reinstated deleted code during rebase nexB#1283
563991b 
Signed-off-by: 404-geek <pranayd61@gmail.com>
@404-geek
code formatting nexB#1283
4632dfc 
Signed-off-by: 404-geek <pranayd61@gmail.com>
@404-geek
database migrations for scorecard nexB#1283
923c834 
Signed-off-by: 404-geek <pranayd61@gmail.com>
@404-geek
updated the scanpipe only fields nexB#1283
94bfcd0 
Signed-off-by: 404-geek <pranayd61@gmail.com>
@404-geek
changed scorecode commit hash for latest pull nexB#1283
d129f73 
Signed-off-by: 404-geek <pranayd61@gmail.com>
@404-geek
Merge branch 'nexB:main' into scorecard_integration
24c7be0
@404-geek
update pipeline code and changed scorecode hash commit nexB#1283
259f004 
Signed-off-by: 404-geek <pranayd61@gmail.com>
@404-geek
Merge branch 'aboutcode-org:main' into scorecard_integration
77efae0
@404-geek
update test cases and regen scorecard data logic nexB#1283
113a557 
Signed-off-by: 404-geek <pranayd61@gmail.com>
@404-geek
update migration file nexB#1283
64e17fe 
Signed-off-by: 404-geek <pranayd61@gmail.com>
@404-geek
remove unwanted change nexB#1283
027fe2d 
Signed-off-by: 404-geek <pranayd61@gmail.com>
tdruez
tdruez requested changes Dec 3, 2024
View reviewed changes
Copy link
Copy Markdown
Contributor

@tdruez tdruez left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@404-geek See my various comments ;)

Also, the new pipeline needs to be added to the built-in-pipelines.rst documentation.

Comment thread scanpipe/migrations/0070_alter_project_purl_discoveredpackagescore_and_more.py Outdated
Comment thread scanpipe/models.py Outdated
Comment thread scanpipe/models.py Outdated
)

@classmethod
@transaction.atomic()
Copy link
Copy Markdown
Contributor

@tdruez tdruez Dec 3, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@404-geek You haven't address the question above yet ;)

Comment thread scanpipe/models.py Outdated
Comment thread scanpipe/models.py Outdated
Comment thread scanpipe/pipelines/fetch_scorecode_info.py Outdated
Comment thread scanpipe/tests/__init__.py Outdated
Comment thread scanpipe/tests/__init__.py Outdated
Comment thread scanpipe/tests/test_models.py Outdated
Comment thread scanpipe/tests/test_pipelines.py Outdated
@404-geek 404-geek requested a review from tdruez March 2, 2025 06:46
tdruez
tdruez requested changes Jun 24, 2025
View reviewed changes
Copy link
Copy Markdown
Contributor

@tdruez tdruez left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would also suggest to simplify the pipeline and module names:

  • fetch_scorecode_info -> fetch_scores
  • FetchScoreCodeInfo -> FetchScores

Comment thread setup.cfg Outdated
Comment thread scanpipe/tests/test_pipelines.py Outdated
Comment thread scanpipe/tests/test_pipelines.py Outdated
Comment thread scanpipe/tests/test_pipelines.py
Comment thread scanpipe/tests/regen_test_data.py Outdated
Comment thread scanpipe/models.py Outdated
Comment thread scanpipe/models.py
Comment thread scanpipe/tests/test_models.py
Comment thread scanpipe/tests/test_models.py Outdated
Comment thread scanpipe/tests/test_models.py Outdated
404-geek added 6 commits July 1, 2025 00:28
@404-geek
Merge branch 'main' into scorecard_integration
8e7fd43
@404-geek
cosmetic changes to pipeline
c6a8ac5 
Signed-off-by: 404-geek <pranayd61@gmail.com>
@404-geek
Resolved merge conflict with upstream
7cd0706 
Signed-off-by: 404-geek <pranayd61@gmail.com>
@404-geek
Refactor Code
e8275b4 
Signed-off-by: 404-geek <pranayd61@gmail.com>
@404-geek
Refactor Code
b8e6090 
Signed-off-by: 404-geek <pranayd61@gmail.com>
@404-geek
Migration Script
cda5531 
Signed-off-by: 404-geek <pranayd61@gmail.com>
@404-geek 404-geek requested a review from tdruez July 14, 2025 13:44
tdruez
tdruez reviewed Jul 14, 2025
View reviewed changes
Comment thread scanpipe/migrations/0074_alter_codebaseresource_sha1_git_and_more.py Outdated
@tdruez
Copy link
Copy Markdown
Contributor

tdruez commented Jul 14, 2025

@404-geek We are almost ready but there's still a few comments you have not addressed yet.

404-geek added 2 commits July 17, 2025 02:03
@404-geek
Update Migration and redundant check of scores
5dfb513 
Signed-off-by: 404-geek <pranayd61@gmail.com>
@404-geek
valid check
dd7d1b1 
Signed-off-by: 404-geek <pranayd61@gmail.com>
@404-geek 404-geek requested a review from tdruez July 17, 2025 13:08
@tdruez tdruez mentioned this pull request Jul 25, 2025
Merged
@tdruez
Copy link
Copy Markdown
Contributor

tdruez commented Jul 25, 2025

Thanks @404-geek for the last push on this.
Merging the branch with a few adjusments at #1777
Great work! 👍

@tdruez tdruez closed this Jul 25, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@AyanSinhaMahapatra AyanSinhaMahapatra Awaiting requested review from AyanSinhaMahapatra

@tdruez tdruez Awaiting requested review from tdruez

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Enrich an SBOM using OSSF Security Score Card Store OSSF scorecard data in scancode.io models

4 participants

@404-geek @pombredanne @tdruez @AyanSinhaMahapatra